Bug bounty hunters score big dollars and the boom's only just begun

Reg man Darren Pauli hangs with happy hackers-for-hire

Feature Nathaniel Wakelam made US$250,000 last year. In his second job, finding and reporting bugs to bug bounty programs.

Wakelam's a 20-year-old high school and university drop-out who has become something of a poster boy for the bug bounty boom, a movement that sees the world's biggest companies pay guys like him tens of thousands of dollars for reporting vulnerabilities in popular apps, services, and video games.

Wakelam is not unique. Prominent bug bounty hunter Mark Litchfield reckons he has earned half a million US dollars over the last two years.

These bounties are secondary incomes for most bounty hunters. Over a few hours on an ordinary Friday night, Wakelam can be found teasing out remote code execution bugs on some of the world's most popular consumer platforms and earning himself a quick US$20,000, or around two-thirds of the Australian annual minimum wage, with time left to go out for a drink.

He is one of hundreds of talented hackers around the world who have jumped on the bug bounty boom finding and reporting holes for money in the world's biggest technology and household companies.

Bounty hunter ... Nathaniel Wakelam (Image: Darren Pauli)

Bug bounty programs have become big business because big business sees them as cheap and effective security research. The likes of General Motors, PayPal, and gaming and media giants are paying millions of dollars to hackers from Australia to Zimbabwe , while other blue chip security slackers debate the return on investment of proper patching.

"It's been a ride," Wakelam tells The Register. "We've made a lot of money."

The Netscape Champions

It has been 20 years since Jarrett Neil Ridlinghafer successfully pitched what he and friends would later call a "bug bounty" during a polarised meeting with Netscape executives at the dawn days of the Dot-Com boom. It was a stroke of genius that tapped into the lifeblood of the Californian open source advocates and also a means of protecting the image of the web as a safe place during its early years.

The idea was striking in its simplicity; ask Netscape's highly engaged, tech-savvy community, which was already peering under the browser's hood, to report any security flaws they found. In return, engineers would send them stuff. The community would soon go on to not only report vulnerabilities under the Netscape Champions program but help engineers stress test the browser in simulated distributed denial of service attacks.

The Champions program would have never left the launchpad had engineers not universally backed Ridlinghafer's pitch to tap into Netscape's hitherto distributed brains trust. The then-Netscape-employee-number-121 had won over most staff at that meeting. "When I pitched my idea I was nervous," Ridlinghafer told The Reg says during a phone call from Odessa, Ukraine where he is working on a incubator for next-generation tech. "They didn't seem to think these guys (the Netscape community) would do a better job finding bugs than our engineers. I said they already are."

Rick Schell was Netscape's vice president of engineering and one of the dissenters at the meeting. The subsequent years have obscured his recollection as to precisely why he did not immediately leap at the bugs bounty idea, but the former Borland tech says it was not for suspicion of external help.

"I had been at Borland in the late 80s where we had groups of outsiders helping us all the time," Schell says, now working with a Menlo Park venture capital firm. "Beta programs are about external people helping. If anything, it (dissent) had to do with paying outsiders bounties in the way it was proposed."

Schell suggests the bug bounty program may have been perceived as a possible risk to Netscape's hoped-for rapid release program, by threatening to bog it down in bug triage. "We were moving very fast, and any tax on the organisation that we weren't set up for was problematic."

Schell was helped onto the bugs bounty ship by the late Netscape marketing vice president Mike Homer and chief executive Jim Barksdale. Some time after the program would be seen universally as a benefit to security and Netscape's reputation, notably at a time when Intel made itself a pariah for sweeping the floating point bug under the rug.

Ridlinghafer, who two years earlier was cleaning pools in Arizona for US$9 a pop, found himself in the operations wing working with company engineers. He says the incoming bugs were amazing, and a vibrant community was eager to exchange vulnerabilities for T-shirts and schwag from the Netscape shop. They were happy too with the boozy parties Netscape would throw for its Champions every few months in the tech mecca.

Sometime around 1996 another meeting was reconvened between executives. It was decided Netscape vulnerability hunters would get cash alongside T-shirts under what became the world's first bug bounty as it is currently known. The bounties ranged up to about $1,000 for the most critical holes.